Closed IsaiahStapleton closed 1 month ago
@IsaiahStapleton assuming we need this by mid august to be ready for classes. Do you need any more details to move form New Issues to Backlog?
@msdisme No, there is no more details needed. I am getting started to work on this issue this week and I don't expect it to take me more than a week or two.
After creating the script to add class labels to pods. I realized that this solution won't work with gatekeeper because when running script, it adds labels to pods AFTER they are created. Gatekeeper intercepts the request for pods and DURING creation can validate these pods. But since the labels are being added after, it is not working as intended.
What I am instead going to do is try to create a Mutating Admission Controller Webhook so that during creation this label is added and then gatekeeper can validate the pods as intended.
We currently have a group-sync cronjob which adds users to a specific group so we can differentiate which users belong to which class. The issue is that we are now trying to use gatekeeper policies to validate pods (such as rejecting pods being created that don’t conform to what students should be running: class image, xsmall size, no gpu), however gatekeeper has no way of knowing which users belong to which groups (class) because they are only able to read the information contained within the yaml for the pod. We need a way to differentiate users in the rhods-notebooks namespace in a way that gatekeeper can understand, because there will be multiple classes running in rhods-notebooks namespace that will have different image, resource, and gpu requirements. So in order to solve this issue, a cronjob needs to be created that will assign a label to the pods running in rhods-notebooks namespace that tells us which class the pod belongs to. It is of value of us to use these gatekeeper policies for validation rather than a script/cronjob because gatekeeper is able to output a message to the user for why their pod creation was denied.